undefined | Better HN

0 pointsakdev1l2y ago0 comments

The WhatsApp client does give Meta a window of opportunity to get data from users.

The data is otherwise E2E encrypted but when you see a link preview on WhatsApp Meta knows that.

0 comments

Only the messages are encrypted, but there's a ton of metadata that isn't, e.g. who you talk to, when, where you are when you do so, ...

akdev1lOP2y ago

But in the client is the only time their code touches the actual unencrypted message data.

Also a lot of the data you mentioned will also not be available if you don’t use their client, eg: if you use Signal client then Facebook won’t get your location all as that’s not part of regular text message

arp2422y ago

Do they actually do that? Because I'm not so sure that they do.

akdev1lOP2y ago

The preview sends a request to some server on a Facebook subdomain. I know because I was sniffing traffic on my phone without any Facebook app installed other than WhatsApp.

arp2422y ago

Okay, but do they actually use any data from that? What does the privacy policy say? Have any effects been observed beyond "uses a facebook domain" (e.g. you see ads on Facebook for a site you had in preview)? Is there functional reason for using that domain?

akdev1lOP2y ago

Do you think I’m a Facebook employee…?

Because no one else can answer your questions.

1 more reply

lxgr2y ago

Did you see the content of that domain? It might be spam/phishing protection, which can be done in a privacy-preserving way (e.g. sending only a truncated hash of the link TLD to a server and downloading a larger set of blocked domains for local filtering).

At least on my Mac, I also only see connections to the URL domain, nothing to a Facebook subdomain.

akdev1lOP2y ago

There’s like 1000 reasons why the domain could be used. (For example you wouldn’t want 1M phones destroying a website because it became viral on WhatsApp, hence a caching layer is probably needed)

I don’t work at Facebook on this specific system that handles link previews so I have no idea of the details.

The fact is that if they send a request containing the link I previewed which is tied to my IP which connects to my Facebook account then they can 100% correlate that information and figure it out.

Are they doing that? Maybe, maybe not. I don’t work there. But they can if they want to so it all comes down to trust. Do you trust Meta?

petre2y ago

Meta and 'privacy-preserving' are a contradiction in terms.

j / k navigate · click thread line to collapse

0 comments

Vinnl2y ago

Only the messages are encrypted, but there's a ton of metadata that isn't, e.g. who you talk to, when, where you are when you do so, ...

akdev1lOP2y ago

But in the client is the only time their code touches the actual unencrypted message data.

arp2422y ago

Do they actually do that? Because I'm not so sure that they do.

akdev1lOP2y ago

The preview sends a request to some server on a Facebook subdomain. I know because I was sniffing traffic on my phone without any Facebook app installed other than WhatsApp.

arp2422y ago

akdev1lOP2y ago

Do you think I’m a Facebook employee…?

Because no one else can answer your questions.

1 more reply

lxgr2y ago

At least on my Mac, I also only see connections to the URL domain, nothing to a Facebook subdomain.

akdev1lOP2y ago

I don’t work at Facebook on this specific system that handles link previews so I have no idea of the details.

The fact is that if they send a request containing the link I previewed which is tied to my IP which connects to my Facebook account then they can 100% correlate that information and figure it out.

Are they doing that? Maybe, maybe not. I don’t work there. But they can if they want to so it all comes down to trust. Do you trust Meta?

petre2y ago

Meta and 'privacy-preserving' are a contradiction in terms.

j / k navigate · click thread line to collapse